DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY [email protected].
Jan 12, 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
• The Internet did not have security designed into it.
• But has demonstrated time and again that it is a platform for innovation - good and bad.
The BAD: DNSChanger - ‘Biggest Cybercriminal Takedown in History’
– 4 mil (1/2 mil in US)
9 Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/
The BAD: Brazilian ISP fall victim to a series of DNS attacks
7 Nov 2011 http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil
The Internet’s Phone Book - Domain Name System (DNS)
www.majorbank.com=?
Get page
webserverwww @ 1.2.3.4
Username / PasswordAccount
Data
DNS Hierarchy
com gov
root
majorbank.com
www.majorbank.com
DNS Resolver
www.majorbank.com = 1.2.3.4DNS
Server
1.2.3.4
Login page
ISP
The BAD: DNS Cache Poisoning Attack
www.majorbank.com=?
DNS Resolver
www.majorbank.com = 1.2.3.4DNS
Server
5.6.7.8
Get page Attackerwebserverwww @ 5.6.7.8
Username / PasswordError
Attackerwww.majorbank.com = 5.6.7.8
Login page
Password database
3 Aug 2008 Dan Kaminsky reveals shortcuthttp://www.seattlepi.com/local/article/Seattle-security-expert-helped-uncover-major-1281123.php
Securing The Phone Book - DNS Security Extensions (DNSSEC)
www.majorbank.com=?
DNS Resolverwith DNSSEC
www.majorbank.com = 1.2.3.4DNS
Server with DNSSEC
1.2.3.4
Get page
webserverwww @ 1.2.3.4
Username / PasswordAccount
Data
Login page
Attackerwww.majorbank.com = 5.6.7.8
Attacker’s record does not validate – drop it
The GOOD: DNSSEC
• Add keys to hierarchy and compute digital signatures. Keep it backward compatible
• Based on over 15 years of global technical community development (in IETF) after discovery of vulnerability
The GOOD: DNSSEC
• Listen to calls from global community for deployment:– Internet community (e.g., RIPE, APNIC, ccNSO…)– Governments (e.g., USG:DHS/OMB/NIST, EU
members)– Business (e.g., Kaminsky 2008, Press)
Deploying it• Problem
– Bureaucracy and Fear: Hard to change anything that has not changed since 1983. Many excuses not to.
– root - An internationally agreed to single key – right
– Trust me - I will manage the root key. ..uh huh.
Look at other International efforts, e.g.,
• ICAO PKD• Long top down development• But not a single hierarchy• Countries (27) pick-up / deposit certificates at
ICAO contracted repository in Singapore
Approach• Eliminate excuses and lead by example – start at
root• Solution
– Multi-stakeholder – get buy in up front – Bottom up – like the Internet itself– Transparency and Choice– Draw from existing secure practices and trusted models
• Public-private partnership with US Department of Commerce and VeriSign (existing DNS management partner)
DNSSEC at the root: result
• Deployed 15 July 2010• Completed in ~2years• Biggest upgrade to the Internet’s core
infrastructure in 20 years• Set the stage for deployment in rest of
hierarchy (e.g., top level domains, end user domains)
Cont…
• Got global buy in• Direct stakeholder participation in key
management – 21 Trusted Community Representatives made up of respected members of Internet community from 17 countries• Currently: URUGUAY, BRAZIL, TRINIDAD AND TOBAGO, CANADA,
BENIN, SWEDEN, NEPAL, NETHERLANDS, NEW ZEALAND, RUSSIAN FEDERATION, PORTUGAL, JAPAN, MAURITIUS, CHINA, BURKINA FASO,CZECH REPUBLIC, UNITED KINGDOM, USA
Cont….• Enabled DNSSEC deployment throughout
hierarchy – need just one key to validate all• Publish, broadcast everything. • Pass 3rd party annual SysTrust audit• ICANN Secure Key Management Facilities in
Culpepper, VA and El Segundo, CA. FIPS 140-2 Level 4 crypto, GSA Class 5 safes, multiple tiers, biometrics, etc.
ICANN• ICANN is a global organization that coordinates the
Internet’s unique identifier systems for worldwide public benefit, enabling a single, global interoperable Internet.
• ICANN’s inclusive multi-stakeholder model and community-developed policies facilitate billions of computers, phones, devices and people into one Internet.
• ICANN’s mission is to coordinate, at the overall level, the global Internet’s systems of unique identifiers, and in particular, to ensure the stable and secure operation of the Internet’s unique identifier systems. (Source: ICANN Bylaws as amended 25 January 2011)
IP addresses, Domain names, Parameters
Web Serverwww.icann.org
port 80192.0.1.3
Email Servermail.icann.org
port 25192.0.1.3
User’s browser123.yourisp.se
port 54332204.107.191.131
User’s phonerick.tel or4.3.2.1.7.4.6.2.0.2.1.e164.arpa
port 5060168.1.3.123
Internet
Background
• Created 1998 to continue technical IANA coordination function (previously performed by Jon Postel) on behalf of USG
• MoU with US DoC: ICANN will operate "in a bottom up, consensus driven, democratic manner."
• 2009 AoC: transitions U.S. oversight authority to ICANN’s Governmental Advisory Committee (GAC) and establishes accountability “review teams”
• IANA Function contract still in place
What ICANN does NOT do
• ICANN does not play a role in policing the Internet or operationally combating criminal behavior.
• ICANN does not have a role in the use of the Internet related to cyber-espionage and cyber war.
• ICANN does not have a role in determining what constitutes illicit conduct on the Internet.
• ICANN IS able to enforce its contracts on registries & registrars
ICANN’s Role in DNSSEC
• Manage the root key of this hierarchy together with VeriSign (under contract with the US Department of Commerce) and trusted international representatives of the Internet community
• Process requests for additions/changes/deletions of public key and other records from Registries at the top of the DNS hierarchy (i.e., .com, .se, …etc)
• Educate and assist the Internet community regarding DNSSEC
Where we are now• < 1% DNSSEC still needs to deployed on more
domain names.• 82/312 top level domain (e.g., .com) have DNSSEC
deployed. Multi-stakeholder managed root key.• 82% of domain names can have DNSSEC deployed on
them. Large ISP in US has turned DNSSEC “on”.• Supported by DNS implementations
Yesterday ALL 17.8 M COMCAST Internet customers. Vodafone, Telefonica CZ
What needs to still happen
• Needs to be widely deployed across the domain names
• Registrars, ISPs, and hosting providers need to support it in a trustworthy fashion
• DNSSEC validation needs to be pushed to the end user
• Raise awareness of the security benefits of DNSSEC and its secure deployment.
How to implement DNSSEC?
25
For Companies: •Deploy DNSSEC on corporate DNS infrastructure (turn
DNSSEC validation “on”)•Deploy DNSSEC on your domain names (“sign” your corporate domain names)
For Users:•Ask your ISP about DNSSEC (get DNSSEC validation
turned “on” on their DNS servers)
Are we done?
But wait, there’s more…
“More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re purposed in a number of ‐different ways. ..” – Vint Cerf 16 June 2010 Root Key Ceremony
Cont…
• Looks like we now have a global, secure database for “free”!
• A globally trusted Public Key Infrastructure• Enabler for global security applications• An authentication platform for identification• Cross-organizational and trans-national• .. A global platform for innovation
Expect: SSL, E-mail, secured VOIP… (e.g. DANE, S/MIME, DKIM, IPSEC)
CA Certificate roots ~1482
Login security SSHFP RFC4255
Yet to be discovered security innovations, enhancements, and synergies
Content security Commercial SSL Certificates for Web and e-mail
Content security “Free SSL” certificates for Web and e-mail and “trust agility” (DANE)
Network security IPSECKEY RFC4025
Cross-organizational and trans-national identity and authentication
E-mail security DKIM RFC4871
DNSSEC root - 1
Domain Names
VoIP securing SIP
https://www.eff.org/observatoryhttp://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/
Potential Applications
• Build and improve on established trust models, e.g., CAs• Greatly expanded SSL usage (currently ~4M/200M)• Make SMIME a reality• May work in concert with in enhancing or extending other
cyber security efforts like digital Identities, WebID, BrowserID, CAs, ..
• Securing VoIP• Simplify WiFi roaming security• Secure distribution of configurations (e.g., blacklists, anti-virus
sigs)
2001:470:8165:1:1e6f:65ff:fe87:5471 IPV6
ICAO
+1-202-709-5262 tel number
mydomainname.com
In Search of Trust: a Perfect Storm?
• Government digital identity efforts– US National Strategy for Trusted Identities in
Cyberspace (NSTIC) (Apr 2011), Sweden e-ID, Brazil, etc..
– Interoperability / Assurance / Certification• Certification Authority fix /w dnssec
– Not perfect but decades of experience: Use it!– Recent impetus to improve.
• Smart Electrical Grid efforts– Not just reading meters
• DNS/DNSSEC part of all ecosystems NSTIC http://www.nist.gov/nstic
Summary• DNSSEC will be a critical tool in combating the global
nature of cyber crime allowing cross-organizational and trans-national authentication
• As a global security federation DNSSEC is a platform for cyber security innovation and international cooperation
• Successful Internet example of bottom up development and multi-stakeholder, public-private cooperation
• DNSSEC does not solve all the ills of the Internet but can become a powerful tool in improving the security of the Internet.
Related Documents
